In a Denial-of-Service (DoS) attack, an attacker bombards a victim network or server with a large volume of traffic. The traffic overload consumes the victim's available bandwidth, CPU capacity, or other critical system resources, and eventually brings the network or server to a situation in which it is unable to serve its legitimate clients. Distributed DoS (DDOS) attacks can be even more damaging, as they involve creating artificial network traffic from multiple sources simultaneously. In a “conventional” massive-bandwidth attack, the source of the attack may be traced with the help of statistical analysis of the source Internet Protocol (IP) addresses of incoming packets. The victim can subsequently filter out any traffic originating from the suspect IP addresses, and can use the evidence to take legal action against the attacker. Many attacks, however, now use “spoofed” IP packets—packets containing a bogus IP source address—making it more difficult for the victim network to defend itself against attack.
Even with the recent improvement of attack detection systems, a need exists for a system that will perfectly classify network traffic. The attack detection systems all eject good traffic (false positives), or accept bad traffic (false negatives). The algorithms share the common problem: how to adjust the “sensitivity” of the algorithm in order to strike the right balance between the twin evils of rejecting good traffic and accepting bad traffic. The embodiments of the invention provide a solution to this problem. The approach involves attributing a cost to bad identification of traffic, then minimizing the overall cost. There is a need for a detection system that automatically adjust sensitivity at short time scales, rather than requiring operator intervention, which requires longer time scales.
The present embodiments meet these needs.